[SSSD-users] SSSD and backup/restore after system failure

[smfrench]

In a scenario in which an sssd node joined to Active Directory crashed and had 
to be rebuilt, restoring key files from backup, other than the obvious files in 
/etc (for krb5, sssd, nss etc.) are there other sssd/krb5 persistent databases 
(/var/lib/sss/db ?) that would have to be restored (ctdb already handles Samba 
related databases like secrets.tdb) in order to recover a system after failure.

What sssd files (if any) other than those in /etc directory would be required 
to restore a system that is joined to an AD domain after failure?
___
sssd-users mailing list -- sssd-users@lists.fedorahosted.org
To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org

[SSSD-users] sssd and clustering/ctdb

[smfrench]

We were noticing some strange problems in two node clustered (ctdb/samba) sssd, 
cases in which both nodes joined AD fine, but "getent passwd " worked 
for only a subset of the remote AD users on one node, but worked fine on the 
other.The config seemed to be identical on the two nodes - didn't see any 
obvious problems with sssd configuration, but clearly the two nodes behave 
differently.

Are there instructions on setting up sssd in clustered environment (e.g. 
presumably similar to the clustered ctdb/samba/ceph or gluster that RHEL might 
ship)? or for the clustered case is it safer to simply use winbind?
___
sssd-users mailing list -- sssd-users@lists.fedorahosted.org
To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org

[SSSD-users] Re: sssd and clustering/ctdb

[smfrench]

And I did check the obvious - googling for "clustered sssd" or "sssd and ctdb" 
didn't come up with much useful in the last year (mostly a few threads that are 
out of date from 2 or 3 years ago).
___
sssd-users mailing list -- sssd-users@lists.fedorahosted.org
To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org

[SSSD-users] excessive number of adcli-krb5 tmp files

[smfrench]

I noticed that on one of our test systems running sssd we have about 150 
/tmp/adcli-krb5-* files (they already take up about 600K after a few days) and 
have contents similar to a krb5.conf file snippet

# cat /tmp/adcli-krb5-a1klQy/krb5.d/adcli-krb5-conf-sM7Ia1 
[realms]
  VWQA.LOCAL = {
kdc = vwqadc02.vwqa.local:88
master_kdc = vwqadc02.vwqa.local:88
kpasswd_server = vwqadc02.vwqa.local
  }
[domain_realm]
  vwqadc02.vwqa.local = VWQA.LOCAL
  vwqadc02.vwqa.local = VWQA.LOCAL

Any idea why there are so many of them - and what keeps creating them?
___
sssd-users mailing list -- sssd-users@lists.fedorahosted.org
To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org

[SSSD-users] uid -> sid mapping in Samba with sssd

[smfrench]

It wasn't obvious from the documentation whether with sssd-libwbclient (only, 
ie without sssd-winbind-idmap installed and configured in smb.conf, since 
sssd-winbind-idmap is not available in most versions of RHEL7 as it was only 
recently added),

Samba's uid_to_sid(function) can always do the lookup uid_to_sid to AD if using 
winbind but it wasn't clear whether this would work with sssd-libwbclient 
(only) installed and what additional Samba configuration is needed for that.

Without this  the owner of a file (viewed from the WIndows client) from 
Explorer GUI looks like
"Unix user\1" rather than "user@domain" (as it would for Windows to 
Windows, or if Winbind were running on the Samba server joined to AD)
___
sssd-users mailing list -- sssd-users@lists.fedorahosted.org
To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org

[SSSD-users] Re: excessive number of adcli-krb5 tmp files

[smfrench]

We do see errors in the log, although not clear yet if the large number of them 
were due to sssd service not being restarted (we fixed that and still saw the 
same two errors in the logs - just not sure if as often)

"(Wed Jan 25 21:50:20 2017) [sssd[nss]] [sss_dp_get_reply] (0x0010): The Data 
Provider returned an error [org.freedesktop.sssd.Error.DataProvider.Offline]" 
in the sssd log and about 7000  occurrences in the ldap log of
[[sssd[ldap_child[7916 [ldap_child_get_tgt_sync] (0x0010): Failed to init 
credentials: Preauthentication failed
___
sssd-users mailing list -- sssd-users@lists.fedorahosted.org
To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org

[SSSD-users] SSSD and nested AD domains

[smfrench]

I haven't been able to find much useful information on how sssd (if at all) 
handles child domains in Active Directory.

If you join an AD domain, presumably you can authenticate any users in the 
children domains, but what happens when you do "getent" do you expect to see 
users of the child domain reflected in the getent (since you are joined to the 
parent)?  Do you expect to always be able to lookup users SIDs and UIDs from 
the children of the domains you joined?  What about the parents?
___
sssd-users mailing list -- sssd-users@lists.fedorahosted.org
To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org

[SSSD-users] RFC2307bis and partially configured Active Directory Domains

[smfrench]

One of the more common cases for sssd (or winbind) with RFC2307 seems to be 
getting uids/gids from Active Directory domains, but few Active Directories 
have all of their users/groups configured for the POSIX uid/gid.

How can you configure sssd behavior for this common case (among the three 
behaviors that might be desired):

1) query AD for the Unix uid/gid and fail if that particular user is not 
configured with a uid (this seems to be what sss always does and isn't really 
practical given how unlikely that AD is configured perfectly for unix uids)
2) query AD for the Unix uid/gid and if that user is not configured with a uid 
map to a default uid (uid of something like "guest" or "defaultuser" or 
whatever)
3) query AD for the Unix uid/gid and if that user is not configured with a uid 
map algorithmically

I didn't see much useful on this topic at 
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/System-Level_Authentication_Guide/Configuring_Domains.html#SSSD-AD

If sssd doesn't do that, is this a case where winbind can do it better? or is 
there a way to configure nssswitch passwd line to fallback to a 3rd trivial
alternative (files sss default e.g.) that provides a default uid for a 
user@domain who does not have a uid/gid configured in AD?
___
sssd-users mailing list -- sssd-users@lists.fedorahosted.org
To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org

[SSSD-users] wbinfo-like tool for sssd

[smfrench]

When debugging sssd it would be nice to be able to do various operations that 
getent can't do (e.g. 'name-to-sid' or 'sid-to-uid' etc.) or nss is not 
configured to do (testing that auth works e.g.) and the wbinfo tools has a 
pretty good list of the typical things that an admin or developer would want to 
do to test sssd or winbind, but ... I couldn't find an sssd equivalent of 
wbinfo and it looks like this is a know issue, e.g. I saw this thread 
http://serverfault.com/questions/795004/what-is-the-sssd-equivalent-for-wbinfo 
and others.

Is there any work in progress on an sssd equivalent of wbinfo?
___
sssd-users mailing list -- sssd-users@lists.fedorahosted.org
To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org

[SSSD-users] Re: realm join and net join incompatibilities

[smfrench]

Yes - that looks like it works (updating /usr/lib64/realmd/realmd-defaults.conf 
to point to a 'net wrapper' that strips that parm out)
___
sssd-users mailing list -- sssd-users@lists.fedorahosted.org
To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org

[SSSD-users] Re: Multiple Active Directory Domain Controllers - what if one is down ...

[smfrench]

Do you guys prefer 'authconfig' to configure sssd rather than realm or some 
other tools?
___
sssd-users mailing list -- sssd-users@lists.fedorahosted.org
To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org

[SSSD-users] Multiple Active Directory Domain Controllers - what if one is down ...

[smfrench]

In testing using "realm join" to join an Active Directory domain with two 
domain controllers, we ran into a problem where "realm join" would fail when 
one of the two Domain Controllers were down.It looks like in a common case 
where nslookup shows two entries for myrealm.ad.test but the first one is down 
(can't ping it), that realmd doesn't try the second one automatically - but 
rather fails the 'realm join'
___
sssd-users mailing list -- sssd-users@lists.fedorahosted.org
To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org

[SSSD-users] realm join and net join incompatibilities

[smfrench]

In tracing through problems with realm join (in a Samba/ctdb cluster), I was 
noticing that realm join implicitly calls 'net ads join' (which should be a 
good thing) but it passes '-s' with a temporary smb.conf to 'net ads join' 
(which is a bad thing since it leaves out clustering=yes and the 
include=registry).   What I was noticing was that to get sssd AND Samba to work 
after 'realm join' you had to run 'net ads join' (explicitly) on at least one 
node of the cluster (but that is risky because then sssd doesn't know about the 
keytab update that 'net ads join' just did).  If you don't run 'net ads join' 
after 'realm join' - Samba will fail because it doesn't think it is joined to a 
domain (so session setups to it will get a 'NO_LOGON_SERVER' error, and 'net 
ads testjoin' will show it is not joined as well) - presumably because the 'net 
ads join' that realmd does implicitly on 'realm join' has the wrong smb.conf 
passed in to it (with no clustering).  Comparing traces of the two joins - 
 the main difference I see is that there are no ctdb related events logged in 
the 'realm join' implicitly called 'net ads join' (and secrets.tdb is missing 
the entry for the domain on all nodes).

Any thoughts of 1) how to force 'realm join' to use a better smb.conf rather 
than the temporary one it chooses during 'net ads join'  or 2) how to safely do 
a 'net ads join' after 'realm join' (and not confuse sssd)?
___
sssd-users mailing list -- sssd-users@lists.fedorahosted.org
To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org

[SSSD-users] realm join taking more than 5 minutes - waiting on password which was already entered

[smfrench]

In a few cases recently (again yesterday), we noticed RHEL7.3's "realm join" 
taking more than 5
minutes (which timed out in our cli, and running realm directly worked but took 
~6 minutes when
normally would take a few seconds). As you can see from the verbose output 
below the
two longest stretches (greater than 2 minutes! each) were waiting between 
launching
"net ads join" and piping the password in (and similarly "net ads keytab
create" had a long delay between starting the command and giving it the 
password). 
Looking at realmd service/realm-samba-enroll.c e.g. begin_net_process() calling 
out to
realm_command_runv_async it was not obvious why there should be any delay 
between the
launch of the net command the passing of the password (I did see one report of 
"net
ads keytab create" hanging if the keytab already existed but that is not the 
same
problem as this). Any idea how/why such long delays between launching net and 
inputting
the password in realmd async code? > 5 minutes is a long time to do something 
that
usually completes in 10 seconds

2017-08-01 19:54:09 realmd[14197]: * Performing LDAP DSE lookup on: ...
2017-08-01 19:54:09 realmd[14197]: * Successfully discovered ...
2017-08-01 19:54:10 realmd[14197]: * Required files: /usr/sbin/oddjobd,
/usr/libexec/oddjob/mkhomedir, /usr/sbin/sssd, /usr/bin/net
2017-08-01 19:54:10 realmd[14197]: * Joining using a manual netbios name: 
2017-08-01 19:54:10 realmd[14197]: * LANG=C LOGNAME=root /usr/bin/net -s
/var/cache/realmd/realmd-smb-conf.0DFU4Y -U  ads join 
2017-08-01 19:56:42 realmd[14197]: Enter  password: 
2017-08-01 19:56:42 realmd[14197]: Using short domain name -- 
2017-08-01 19:56:42 realmd[14197]: Joined ... to dns domain ...
2017-08-01 19:56:42 realmd[14197]: * LANG=C LOGNAME=root /usr/bin/net -s
/var/cache/realmd/realmd-smb-conf.0DFU4Y -U  ads keytab create
2017-08-01 19:59:33 realmd[14197]: Enter  password:

Any ideas why realmd's async processing (basically passing the password to
the underlying "net ads join" etc.) is doing this?
___
sssd-users mailing list -- sssd-users@lists.fedorahosted.org
To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org